SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Mimecast: Employee training must supplement application security
Wed, 8th May 2019
FYI, this story is more than a year old

Too many organisations are looking for a technical solution to what is essentially a human problem.

A company's biggest security risk is unintentional employee negligence.

Most security professionals agree that awareness training is the best way to tackle the problem, but traditional training methods, on the whole, aren't moving the needle.

TechDay spoke to Mimecast security awareness and threat intelligence products senior vice president and general manager Michael Madon on what organisations can do to reduce risk.

How is Mimecast's Awareness Training aiming to help address human error in cybersecurity?    

Human error is involved in 90% or more of all business security breaches.

The question is what to do about it.

For some, the answer is mostly technical – programs and packages that try to solve for human error without putting any faith or responsibility in human beings.

But we strongly believe that employees play a critical role in your security posture and that instead of coping with an employee base that is a liability, one should foster an employee base that is part of your active defence - a human firewall if you will.

That's what Mimecast's Awareness Training does.

We offer security products for email, web, business continuity and archiving, now combined with engaging, impactful commercial training programs available in the market today.

Our specific training approach uses humour as an engagement mechanism, keeps the modules to 3-5 minutes a month and trains persistently – on average once a month.

We use phish testing and risk scoring to help identify who needs additional training and offer customers the ability to deploy custom training modules and campaigns based on that intelligence.

This approach creates a virtuous cycle of behaviour change, learning and increasing levels of security awareness, in a fun, positive, respectful and effective manner.

How is a human-centric approach to cybersecurity more effective than an application approach?   

I don't think it's a question of more effective.

I think it's about being complementary.

It's left hand, right hand.

And if you don't have either one, then you are defending yourself with a single hand.

Educating people to be cyber-aware is an important part of an effective cyber resilience strategy. 

This enhances the security posture of our clients, one already bolstered by the other tech-centric products in Mimecast's portfolio. To really have an effective cybersecurity plan in any organisation, it requires both a human-centric and an application approach. 

How is Mimecast's Awareness Training different from other education programs?  

I believe the biggest differentiator is how engaging our training is.

If training is boring and unengaging, it does not work.

If it is not frequent, it does not work.

If it takes more than a few minutes out of someone's busy day, it does not work.

You have to strike the right balance to make it consumable, relatable and top of mind, without triggering negatives like “I really don't have time for this” or “I hate sitting through this.”

Humour is an essential part of our cybersecurity training and we believe this is a key part of why our approach is so successful.

As human beings, it's hard to tune out when something is funny.

With other vendors, training can be challenging with long, employee sessions often considered boring and uninteresting.

But add humour to employee training, keep it short and punchy, and employees are more likely to listen, laugh and in more cases than not, absorb the knowledge we are sharing.  

What's the single biggest thing that organisations can do to reduce risk?   

Lead by example.

Establish a security program in a holistic way that ensures a commitment of security across the organisation.

This means a responsibility at the C-suite level to be engaging, endorsing, and supportive of training.

It is our belief that if employees know how important the topic is, that senior leadership takes it very seriously, and the training itself is persistent, not burdensome and very engaging, the results will be dramatic.